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About this Guide 
About Qualys 


About this Guide 


Welcome to Qualys Container Security! We'll help you get acquainted with the Qualys 
solutions for securing your Container environments like Images, Containers and Docker 
Hosts using the Qualys Cloud Security Platform. 


About Qualys 


Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of cloud-based security and 
compliance solutions. The Qualys Cloud Platform and its integrated apps help businesses 
simplify security operations and lower the cost of compliance by delivering critical 
security intelligence on demand and automating the full spectrum of auditing, 
compliance and protection for IT systems and web applications. 


Founded in 1999, Qualys has established strategic partnerships with leading managed 
service providers and consulting organizations including Accenture, BT, Cognizant 
Technology Solutions, Deutsche Telekom, Fujitsu, HCL, HP Enterprise, IBM, Infosys, NTT, 
Optiv, SecureWorks, Tata Communications, Verizon and Wipro. The company is also 
founding member of the Cloud Security Alhance (CSA). For more information, please visit 
www.qualys.com 


Qualys Support 


Qualys is committed to providing you with the most thorough support. Through online 
documentation, telephone help, and direct email support, Qualys ensures that your 
questions will be answered in the fastest time possible. We support you 7 days a week, 
24 hours a day. Access online support information at www.qualys.com/support/. 


About Container Security Documentation 


This document provides information about using the Qualys Container Security UI to 
monitor vulnerabilities in Images, Containers, and Registries. 


For information on deploying the sensor on MAC, CoreOS, and various orchestrators and 
cloud environments, refer to: 


Qualys Container Sensor Deployment Guide 

For information on using the Container Security API, refer to: 

Qualys Container Security API Guide 

For information on deploying the sensor in CI/CD environments refer to: 
Qualys Container Scanning Connector for Jenkins 

Qualys Container Scanning Connector for Bamboo 


Qualys Container Scanning Connector for Azure DevOps 


Container Security Overview 


Container Security Overview 


Qualys Container Security provides discovery, tracking, and continuously protecting 
container environments. This addresses vulnerability management for images and 
containers in their DevOps pipeline and deployments across cloud and on-premise 
environments. 
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With this version, Qualys Container Security supports 

- Discovery, inventory, and near-real time tracking of container environments 
- Vulnerability analysis for images and containers 

- Vulnerability analysis for registries 

- Compliance assessment for images and containers 

- Integration with CI/CD pipeline using APIs (DevOps flow) 


- Uses Container Sensor — providing native container support, distributed as docker 
Image 
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Concepts and Terminologies 
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Docker Image 


A Docker image is a read-only template. For example, an image could contain an Ubuntu 
operating system with Apache and your web application installed. Images are used to 
create Docker containers. Docker provides a simple way to build new images or update 
existing images, or you can download Docker images that other people have already 
created. Docker images are the build component of Docker. 


An image is a static specification what the container should be in runtime, including the 
application code inside the container and runtime configuration settings. Docker images 
contain read-only layers, which means once an image is created it is never modified. 


Image is tracked within Qualys Container Security module using Image Id and also a 
unique identifier generated by Qualys called Image UUID. 


Docker Registry 


Docker registries hold images. These are public or private stores from which you upload or 
download images. It serves a huge collection of existing images for your use. These can be 
images you create yourself or you can use images that others have previously created. 
Docker registries are the distribution component of Docker. See Registry Scanning to learn 
about the public and private registries we support for scanning. For instrumentation 
support, see Container Runtime Security. 


Docker Containers 


Docker containers are similar to a directory. A Docker container holds everything that is 
needed for an application to run. Each container is created from a Docker image. Docker 
containers can be run, started, stopped, moved, and deleted. Each container is an isolated 
and secure application platform. Docker containers are the run component of Docker. 


A running Docker container is an instantiation of an image. Containers derived from the 
same image are identical to each other in terms of their application code and runtime 
dependencies. But unlike images that are read-only, each running container includes a 
writable layer (a.k.a. the container layer) on top of the read-only content. Runtime 


Container Security Overview 
Concepts and Terminologies 


changes, including any writes and updates to data and files, are saved in the container 
layer only. Thus multiple concurrent running containers that share the same underlying 
image may have different container layers. 


Containers are tracked within Qualys Container Security module using Container Id and 
also a unique identifier generated by Qualys called Container UUID. 


Docker Host 


Hosts or servers running on top of ContainerD, CRI-O and Docker Daemon, and hosting 
containers and images. Qualys tracks them as Host Assets, collects the metadata 
including IP address, DNS and other attributes of the Host. A host in Qualys is identified by 
a unique identifier Host UUID. The UUID is also stored in a marker file under 
/usr/local/qualys directory by the Agent or a scan with authentication via a Scanner 
Appliance. 
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Qualys Container Sensor 


Qualys Container Sensor is designed for native support of Docker environments. Sensor is 
packaged and delivered as a Docker Image. Download the image and deploy it as a 
Container alongside with other application containers on the host. 


The sensor is docker based, can be deployed on hosts in your data center or cloud 
environments like AWS ECS, Azure Container Service or Google Container Service. Sensor 
currently 1s only supported on Linux Operating systems like CentOS, Ubuntu, RHEL, 
Debian and requires docker daemon of version 1.12 and higher to be available. 


Since they are docker based, the sensor can be deployed into orchestration tool 
environments like Kubernetes, Mesos or Docker Swarm just like any other application 
container. 


Upon installation, the sensor does automatic discovery of Images and Containers on the 
deployed host, provides a vulnerability analysis of them, and additionally it monitors and 
reports on the docker related events on the host. The sensor also performs compliance 
assessments. The sensor container runs in non-privileged mode. It requires a persistent 
storage for storing and caching files. 


Container Security Overview 
What data does Container Security collect? 


Currently, the sensor only scans Images and Containers. To scan Hosts, you would require 
Qualys Cloud Agents or a scan through Qualys Virtual Scanner Appliance. Currently 
doesn't do inventory collection specific to orchestration tools and identifies the 
nodes/slaves as just docker hosts. 


Refer to the Qualys Container Security Sensor Deployment Guide to learn about sensor 
modes (General, Registry, CI/CD). 


What data does Container Security collect? 


The Qualys Container Security sensor fetches the following information about Images and 
Containers in your environment: 


Inventory of Images and Containers in your environment from commands such as 
docker ps that lists all containers. 


Metadata information about Images and Containers from commands such as docker 
inspect and docker info that fetches low level information on docker objects. 


Event information about Images and Containers from the docker host for docker events 
like created, started, killed, push, pull, etc. 


Vulnerabilities found on Images and Containers. This is the output of the vulnerability 
management manifests run for identifying vulnerability information in Images and 
Containers. This is primarily software package listing, services running, ports, etc. For 
example, package manager outputs like rpm -qa, npm. This is supported across various 
Linux distributions (CentOS, Ubuntu, CoreOS, etc) and across images like Python, NodeJS, 
Ruby, and so on. 


Compliance configurations for OCI compliant images, running containers. We are 
supporting a subset of controls from CIS Docker benchmarks, which are applicable to 
running containers and images. Customers can assess configuration risks in their running 
containers and images and remediate them accordingly based on the Qualys finding. The 
compliance scans of containers, images will be transparent to customers and will function 
in a similar real-time cloud native manner like the vulnerability scanning feature. 
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Container Security free version 


Qualys has introduced a free version of the Container Security App to enable customers to 
get a glimpse of what Container Security offers. The free version provides you a view of 
containers and images in your environment. You must upgrade to a Container Security 
paid subscription if you want to scan those images and containers for vulnerabilities. 


Container Security gets image and container information from either of the following 
sources if the host contains Docker: 


Cloud Agents / Scanners 


Cloud Agents installed on hosts or Scanners (via Authenticated Scans) will fetch a list of 
containers and images present on the host, and provide this information in the AssetView 
app for each asset under the Asset Details > Container Security pane. 


View Mode Container Security 
Asset Summary Take me to Container Security 
System Information Docker version: 18.09.6 
pi R Pon Assoc. containers: 11 
gan: Summary a Assoc. images: 44 
Network Information 
Open Ports à . á 
A Containers By Status Containers by images 


d7c5abfe8477 2 
7df32855c147 2 
ed3b371b3253 2 
d595a4011ae3 1 
0d906b1250cf 1 


M RUNNING 4 
MM STOPPED 4 


@ CREATED 3 e 
a 


aa " ry 
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Threat Protection RTis 


Compliance 


Top 5 Images by Container count 


Image Id Repository Created On Containers 


d7c5abfe8477 jenkins/jenkins November 9, 2018 2 
7df32855c147 jenkins November 28, 2018 2 


ed3b371b3253 jenkins November 28, 2018 2 


Close 


Click the Take me to Container Security option to enable Container Security free version 
for your account. 


The Container Security app will show metadata of the images and containers but not the 
vulnerability information. You must upgrade to a paid subscription in order to scan the 
images and containers for vulnerabilities. See Hosts to learn more. 


Container Sensor 


Installing the Container Sensor on hosts will fetch vulnerability information for all official 
images from Docker Hub, and the first 10 general sensors installed on assets in your 
account (does not include sensors for CI/CD and registry scanning). Upgrading to a Trial or 
Full (Paid) subscription will remove this limitation. 
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Container Security Overview 
Container Runtime Security 


API Support 


APIs to list Containers, Images and Sensors, and fetch Container, Image, Sensor Details are 
available for Container Security Free. Upgrade to a paid subscription to get access to all 
Container Security APIs. Please refer to the Qualys Container Security API Guide. 


Container Runtime Security 


Container Runtime Security (CRS) provides runtime behavior visibility & enforcement 
capabilities for running containers. This allows customers to address various use cases for 
running containers around security best practice enforcement, file access monitoring, 
network access control. 


CRS requires instrumentation of container images with the Qualys Container Runtime 
Instrumentation, which injects probes into the container image. Customers can configure 
instrumented images, containers with granular policies which govern container behavior, 
visibility. Based on these runtime enforcement policies - runtime events, telemetry can be 
viewed obtained from the backend via UI, API. 


CRS 1s currently supported for Linux OS based containers only. 


CRS Documentation 
CRS User Guide | CRS API Guide 
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Get Started 
Qualys Subscription and Modules required 


Get Started 


This chapter provides an overview of Container Security Sensor installation. 


For information on deploying the sensor on MAC, CoreOS, and various orchestrators and 
cloud environments, refer to the Qualys Container Sensor Deployment Guide. 


See About Container Security Documentation 


Qualys Subscription and Modules required 


You would require “Container Security” (CS) module enabled for your account. 
Additionally, in order to get vulnerabilities for the hosts that run the containers, you 
would need to enable Vulnerability Management (VM), either via Scanner Appliance or 
Cloud Agent. 


System support 


Please refer to the Qualys Container Security Sensor Deployment Guide for a list of 
supported systems. 


Deploying Container Sensor 


IMPORTANT: Sensor deployment is one sensor in one mode on one host/node. Deploying 
more than one sensor or more than one sensor in another mode 1s not supported. 


Let's get started! Log into your Qualys portal with your user credentials. Select Container 
Security from the module picker. 


As a first time user, you ll land directly into the Getting Started page. 


Container Security HOME DASHBOARD ASSETS REPORTS CONFIGURATIONS 


Hello ! 
Welcome to Qualys Container Security 


Learn More ) 


fen -> ff 


Inventory Container Assets Install Sensors Detect Vulnerabilities Secure Running Containers 
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Get Started 
Deploying Container Sensor 


Go to Configurations > Sensors, and then click Download Sensor to download the sensor 
tar file. You can see various sensor types: 


NN Cer (ost) Sensor: Scan any host 


| | other than registry / build (CI/CD). 


Download and Deploy Qualys Container Sensor : . ; a 
© Select the environment you want to deploy the Qualys Container Sensor. Registry sensor: scan Images in a 


Download the docker image and follow the instructions to deploy the Qualys Container. registry (public jy private) f 


Build (CI/CD) Sensor: Scan images on 


(13) ES. G CI/CD pipeline (Jenkins / Bamboo). 
General (Host) Registry Build (CI/CD) 


tar.xz tar.xz tar.xz 


For Registry you need to append the install command with --registry-sensor or -r 


For CI/CD you need to append the install command with --cicd-deployed-sensor or -c 


Installation Instructions 


do General (Host) 


Ver.: 1.3.1-10 


Qualys Container Sensor supports Discovery, Inventory and Scanning of Images and Containers. 


HOSTS CLUSTERS 


Installation Steps 
Download the container sensor. A tar file containing the sensor docker image and the install script will be 
downloaded. 
Run the following commands to install the sensor. The sensor is pre-configured to connect to the Qualys Cloud 


Platform. 


sudo tar -xvf QualysContainerSensor.tar.xz 
sudo mkdir -p /usr/local/qualys/sensor/data 


sudo ./installsensor.sh ActivationId=cb9f9f99-bcee-4d22-bdef- 


04c34954fef0 Customerld=-d5442c7f-7e29-733d-83b8-256e5af08f17 


Storage=/usr/local/qualys/sensor/data -s 


Download the QualysContainerSensor.tar.xz file and run the commands generated 
directly from the screen on the docker host. Note the requirements for installing the 
sensor, the sensor needs a minimum of 1 GB persistent storage on the host. 


For information on the “installsensor.sh” script command line parameters, refer to the 
“Deploying Container Sensor” section in the Qualys Container Security Sensor 
Deployment Guide. 
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Get Started 
Proxy Support 


Proxy Support 


The install script asks for proxy configuration. You need to provide the IP Address/FQDN 
and port number along with the proxy certificate file path. For example, 


Do you want connection via Proxy [y/N]: y 

Enter Https Proxy Settings [<1P Addréess>:<Port f7]: LO.xxX. xx. xx: xxx 
Enter Https Proxy certificate file path: /etc/qualys/cloud- 
agent/cert/ca-bundle.crt 


Your proxy server must provide access to the Qualys Cloud Platform (or the Qualys Private 
Cloud Platform) over HTTPS port 443. See Qualys Platform (POD URL) your hosts need to 
access below. 


Qualys Platform (POD URL) your hosts need to access 
The Qualys URL you use depends on the Qualys platform where your account is located. 


Click here to identify your Qualys platform and get the Container Security Server URL 


POD URL value 


The “Container Security Server URL” for your platform (found at the link above) is the URL 
you 11 need to provide for the POD_URL variable in Container Security Sensor commands 
and in configuration yaml files when deploying the sensor. 


Sensor network configuration 


The sensor is pre-configured with the Qualys URL and the subscription details it needs to 
communicate to Qualys. In order for the sensor to communicate to Qualys, the network 
configuration and firewall needs to provide accessibility to Qualys domain over port 443. 


After successful installation of the Sensor, the sensor 1s listed in the Container Security Ul 
under Configurations > Sensors where you can see its version, status, etc, and access 
details. Additionally, you can Download the sensor from the UI. 


Static scanning of Docker images 


The sensor will perform static scanning for docker images as a fallback mechanism to 
current dynamic scanning in case docker image does not have a shell. Static scanning will 
also be performed for Google distroless images without shell. Static scanning will not be 
performed on Docker container or Docker images having a shell. 


Static scanning collects the list of installed software from the Docker image file system to 
find vulnerabilities in the Docker images. The installed software list is retrieved from the 
Package manager metadata files. Package managers supported are RPM, DPKG and Alpine. 


If you have large images without shell on the host where sensor is running, the 
requirement for disk space may exceed the minimum requirement of 1GB. 
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Securing Container Assets 
Asset Inventory 


Securing Container Assets 


Asset Inventory 


Upon installation of the sensor, 1t automatically scans the host for the images and 
containers that are present on the host. The inventory and the metadata of the inventory 
1s pushed to Qualys portal. 


Unified Dashboard 


Dashboards help you visualize your container environment assets, see your threat 
exposure, leverage saved searches, and fix priority of vulnerabilities quickly. 


We have integrated Unified Dashboard (UD) with Container Security. UD brings 
information from all Qualys applications into a single place for visualization. UD provides 
a powerful new dashboarding framework along with platform service that will be 
consumed and used by all other products to enhance the existing dashboard capabilities. 


You can use the default Container Security dashboard provided by Qualys or easily 
configure widgets to pull information from other modules/applications and add them to 
your dashboard. You can also add as many dashboards as you like to customize your view. 
For help creating widgets, dashboards, templates and more, please refer to the Unified 
Dashboard online help. 


<— Add Widget to Dashboard (CS) 


TEMPLATES 
Container Security 


Select the template you would like to customize or add to your dashboard 
Container Security 
Create Widget 
CloudView 12 


All Widgets (26) Default Widgets (21) User-defined Widgets (1) 


Patch Management 11 CONTAINER DISTRIBUTION BY VULNERABILITY SEVERITY 


Container count by vulnerability severity 


CONTAINER DISTRIBUTION BY STATE 


Container count by container states 
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Securing Container Assets 
Asset Details 


Asset Details 


The Assets section lists the Images and Containers discovered along with their metadata 
information like ports, networks, services, users, installed software, etc. The assets are 
listed along with their associations like associated containers and hosts for an image, 
other containers from the same parent image. Users can search for images and containers 
based on their attributes. 


Jump to a section: Hosts | Images | Containers | Registries 


Hosts 


The Assets > Hosts tab shows container hosts discovered, scanned by the Qualys Cloud 
Agent and/or Qualys Network Scanner. Currently, container hosts discovered, scanned 
only by the Qualys Container Sensor are not shown in this list. It is recommended you use 
the Images or Containers tabs for these. Additionally, Qualys Container sensors currently 
only support hosts and clusters with Linux-based host OSes and Mac OS. 


For each host in the list, you'll see the image and container count. Image and container 
details can be viewed in their respective tabs. 


Use QQL search tokens to search for hosts. See the online help for a list of search tokens. 


Container Security HOME DASHBOARD ASSETS REPORTS CONFIGURATIONS 290: 


Assets Images Containers Registries 


Q Search for hosts... 


4 


Total Hosts 2 
Hosts missing Sensor 
NO REMAINING FILTERS 1-4of 4 
ip-10-90-3-155 Ubuntu Linux 5 2 
ip-10-90-3-4 Ubuntu Linux 3 3 
localhost.localdomain CentOS Linux release 7.5.1804 (Core) 4 4 


Access the details page for a host from the Sensor details page. Asset Details view displays 
information about the host on which the sensor is deployed. Besides system, network, and 
port information, the Asset Details view also displays a list of software installed on the 
host, vulnerabilities present, certificates, and Threat Protection RTIs (when Qualys TP app 
1s enabled). Container Security panel shows all containers installed on the host, their 
status, and the images from which the containers are spawned. 
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< Asset Details: cloudagent 


VIEW MODE Container Summary 


Asset Summary 


CONTAINERS BY STATUS 


System Information 


262 


Agent Summary @ PAUSED 2 


Network Information @ RUNNING 79 


CONTAINERS BY TOP 5 
VULNERABLE IMAGES 


4 
& ( 


Securing Container Assets 
Asset Details 


Docker Version: 
17.12.0-ce 


Details 


STOPPED 4 
@ DELETED 177 


` 


Docker version: 17.12.0-ce 


Open Ports 


Installed Software Assoc. containers: 262 


Vulnerabilities Assoc. images: 201 


Container Security 1 
Sensor Information 


IMAGE DISTRIBUTION 
En 


M Total images with containers 


Sensor container ID: c2f762cd9c26 


Status: UNKNOWN 
Total images without containers 


Sensor version: 1.2.0-155 


Images 


The Assets > Images tab shows the discovered images along with their metadata 
information. Use QQL search tokens to search for images. See the online help for a list of 
search tokens. 


Container Security HOME DASHBOARD ASSETS REPORTS CONFIGURATIONS 20i 
Assets Hosts Images Containers Registries 
Q = 
Total Images 2 61 1 8 
Images detected without CS Sensor Images with Sev 5, 4 Vulnerabilities Docker Hub Official Images Images not Compliant 


REGISTRY 1-50 of 96 
registry-1.docker. 36 
docker.io 33 
cmsapline01.azu 13 
~ 
ea 5 registry-1.docker.io image_1 Mar 15, 2021 | registrycheck Jat... 0 182 = 
362990800442.d 2 Image Id: 4b72a9a397b0 
3 more On Hosts: 0 
registry-1.docker.io image_2 Mar 15, 2021 I distroless-java-8... 0 0 _ 
VULNERABILITIES Image Id: f7bf6194d019 On Hoste 
Severity 5 54 n Hosts 
Severity 4 55 docker.io image_abc Mar 15, 2021 | latest 1 213 2 
Severity 3 61 Image Id: be249b1cce35 NT 
Severity 2 50 j On Hosts: 1 
Severity 1 52 docker.io image_xyz Mar 15, 2021 | latest 1 4 2 
Image Id: 468de78f8e88 On Host: 1 EE m es 
Jn Hosts 
COMPLIANCE POSTURE 
FAIL 18 registry-1.docker.io my_image Mar 14, 2021 I distroless-java11... 0 - -= 
Image Id: 3e8e8af135a0 _ . 
On Hosts: 0 
lo 


Select View Details from the Quick Actions menu for any image in the list to get 
comprehensive information about the image. You can view detailed information about the 
image, its associations with containers, drift containers, and hosts. 


- The Installed Software section displays software having vulnerabilities, and for which 
fixes (patches) are available. 


- The Vulnerabilities section provides vulnerability information, such as confirmed and 
potential vulnerabilities with their severity. For each vulnerability you'll see the 
vulnerability age (in days). Age is calculated from the point Qualys published the 
vulnerability. 
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Securing Container Assets 
Asset Details 


- The Compliance section provides a list of controls that were scanned with control details 
(CID, criticality, statement, category, technologies). 


- The Layers section displays a list of layers the image is made of. 


< Image Details: image_abc 


View Mode 
Summary 


Quick Summary of the Image 
Summary 


Image Information 


Tag: | latest 
Associa tions 5 
Size: 801.31 MB 


DockerHub: - 
Scan Type: Dynamic 


Installed Software 
Vulnerabilities 
Layers 


Compliance Vulnerabilities 


213 
100% 
0% 


Associated Containers 


1 
100% 
0% 
0% 


Containers 


The Assets > Containers tab shows the discovered containers along with their metadata 
information. Use QQL search tokens to search for containers. See the online help for a list 
of search tokens. 


Container Security HOME DASHBOARD ASSETS REPORTS CONFIGURATIONS 20 


Assets OUEN CC Containers Micmac 


Q 


24 
Total Containers 1 9 0 1 4 1 6 


Root Containers Privileged Containers Containers detected without CS Sensor Containers in Drift Containers not Compliant 

VULNERABILITIES 1-24 of 24 
Severity 5 15 
Severi ty 4 11 
Severity 3 16 
Se ty 2 11 = Mar 15, 2021 = RUNNING = = = 2 
Seven ty1 14 Container Id: 6b0add73afef 2 days ago 

container_1 Mar 14, 2021 dockercent RUNNING 8 hours ago 212. 24 
STATE Container Id: e0a288061bbf 10.115.98.192 2 days ago A | a] 
seda > container_2 Mar 14, 2021 dockercent RUNNING 8 hours ago 212 24 

Container Id: 1f40cd3725f4 10.115.98.192 2 days ago [ac = 
DRIFT container_3 Mar 14, 2021 ip-10-82-9-192 RUNNING 3 days ago À 24 
Vulnerability 4 Container Id: 98f84e250fdb 10.82.9.192 3 days ago — | = 

container_abc Mar 12, 2021 ip-10-82-9-192 RUNNING 3 days ago 4 24 
PRIVILEGED Container Id: 9f0979eca794 10.82.9.192 5 days ago ~ o 
false 19 

container_xyz Mar 12, 2021 ip-10-82-9-192 RUNNING 3 days ago À 24 

Container Id: 0202e3d22215 10.82.9.192 3 days ago o — 
ROOT 
true 19 my_container Mar 12, 2021 ip-10-82-9-192 RUNNING 3 days ago 213 24 

Container Id: 3e762442295f 10.82.9.192 5 days ago n = 
COMPLIANCE POSTURE 

sample_container Feb 24, 2021 localhost.localdomain RUNNING 20 days ago 0 24 
h ES Container Id: 6f0c4c5bd265 10.115.119.175 21 days ago rl 
FAIL 16 

sample2_container Feb 24, 2021 localhost.localdomain RUNNING 20 days ago 0 > 

y Container Id: e7debdeed7ac 10.115.119.175 21 days ago v 


Select View Details from the Quick Actions menu for any container in the list to get 
comprehensive information about the container. You'll get detailed information about the 
container, its associations with an image, drift containers, and hosts. 
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Securing Container Assets 
Asset Details 


- Container “State” is updated based on the docker events (exec_start, kill, destroy, stop) 
that Qualys Sensor reports to Qualys Cloud Platform. 


- The Services/Users section displays the list of services avallable in the container and 
users associated with the container. 


- The Installed Software section displays software having vulnerabilities, and for which 
fixes (patches) are avallable. 


- The Vulnerabilities section provides vulnerability information, such as confirmed and 
potential vulnerabilities with their severity. For each vulnerability you'll see the 
vulnerability age (in days). Age is calculated from the point Qualys published the 
vulnerability. 


- The Compliance provides a list of controls that were scanned with control details (CID, 
criticality, statement, category, technologies). 


< View Details: container_abc 


View Mode 
Summary 


Summary Quick summary of the Container 


Container Details 

container_abc 
Network à ¡ Rn 
Drift : False ate : { RUNNING | 
Services/Users Container Id : 9f0979eca794 uration : 5 days ago 


Installed Software 


Associa tions Vulnerabilities Compliance 


Vulnerabilities d 24 


100% 67% 
Compliance 0% 33% 


Associated Containers 


0 


0% 
0% 
0% 


Registries 


The Assets > Registries tab shows the registries in your account. Use QQL search tokens 
to search for registries. See the online help for a list of search tokens. 


Container Security HOME DASHBOARD ASSETS REPORTS CONFIGURATIONS 


Assets COS CET oC” Registries 


Q Search for registries... 


6 New Registry 


Total Registries 


Finished https://registry-1.docker.io 
Last Scanned on: Aug 29, 2019 


Finished https://205.dkr.ecr.us-west-1.amaz... 
Last Scanned on: Aug 29, 2019 


Finished https://registry-1.docker.io 
Last Scanned on: Aug 29, 2019 
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Securing Container Assets 
Vulnerability scanning of Docker Images 


Select View Details from the Quick Actions menu for any registry in the list to get 
comprehensive information about the registry. You can view detailed information about 
the registry: number of repositories, total number of images and number of vulnerable 
images within that registry. The Scan Jobs panel lists the On Demand and Automatic Jobs 
created for that registry. For more information, see Registry Scanning. 


< View Details: art-hq. 


| 
View Mode | 
| Registry Summary 


Ds nfonmadon Last known information for this image 


Scan Jobs 
art-hq. 
docker Registry Type: Docker V2-Private 
Provider: 
Activity Scan Settings 

Total repositories : 17 URL : https://art-hq. 

Total images: 60 Username: cms-auth 

Total vulnerable images: 29 


Vulnerability scanning of Docker Images 


The docker images are scanned to check the presence of any vulnerabilities by the Qualys 
container sensor. The vulnerabilities panel in Image Details provides a list of 


vulnerabilities with Severity along with their QIDs. Select Show Patchable Vulnerabilities 
to view vulnerabilities with available patches. 


Qualys scans the docker images for vulnerabilities not through static analysis but via a 
non-static method, where it looks at the Image as a complete entity. This process is more 
effective and has lesser false positives (FP) than the more commonly used Static Analysis. 


| < Image Details: node 


View Mode Vulnerabilities 


Select the severity you would like to review by: 
Summary 


Image Information 


Sev5 v Sev4 v Sev3 v Sev2 v Sev1 v Show Patchable Vulnerabilities 
Associations 
Installed Software Q = 
Vulnerabilities VULNERABILITIES BY SEVERITY 
Layers 

FERME PEA a 
Sev 5 Sev 4 Sev 3 Sev 2 Sev 1 
1-4of 4 
38510 CA Agent Discloses Exact … MIN 4600 Days = = 


a month ago 


38726 OpenSSH Username Enum... MEE CVE-2018-15473 48 Days - 
a month ago 


121328 Linux Kernel libceph Autho.... MMM CVE-2013-1059 1893 Days = 
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Securing Container Assets 
Vulnerability scanning of Docker Images 


Docker Images are found distributed across the environment from developer laptops, 
build systems, Image Registry to being cached on the docker hosts running Containers. To 
scan for vulnerabilities you would need the Container Sensor deployed on the host asset. 


To get an inventory of the images and scan them for vulnerabilities, deploy the container 
sensor on the host. Refer to Deploying Container Sensor for the install instructions and 
system requirements. 


On the local host or laptops 


To get an inventory of the images and scan them for vulnerabilities, deploy the container 
sensor on the local host. Refer to Deploying Container Sensor for the install instructions 
and system requirements 


To deploy the Sensor on the Mac laptops, there are additional install steps - follow the 
instructions in the Qualys Container Security Sensor Deployment Guide. See About 
Container Security Documentation. 


Upon Installation the sensor automatically detects the images, and provides -inventory 
and vulnerability scans of the image. 


In the CI/CD pipeline 


Doing a complete check of vulnerabilities in an image during the build time ensures a lot 
cleaner operating environment. Qualys Container Security provides a plugin for Jenkins 
and Bamboo to get the vulnerability analysis of images in the build environment. If you 
are using other tools you can use the REST APIs available to perform vulnerability analysis 
on the images. 


To start, deploy the Container Sensor on the Build host where the images are being 
created. The sensor upon install would automatically trigger a vulnerability analysis of 
the new images found. Use the API or the plug-in to look for vulnerabilities in the Images. 
If you are in Jenkins or Bamboo environment, the plug-in would provide detail list of the 
vulnerabilities and 1ts details directly within the plug-in, you could optionally access your 
Qualys subscription to view the full report. 


In the Registry 


Currently, the Qualys Container Sensor doesn't automatically poll or pull images to do an 
analysis. Rather you would be needed to deploy the sensor on the host that 1s configured 

to pull images from the registry. Either manually or via a cron pull the new images to the 

host. The sensor does an automatic analysis as soon as it finds a new image. Use the APIs 
or the Qualys portal to query for the vulnerabilities identified. 
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Securing Container Assets 
Vulnerability scanning of Docker Containers 


Vulnerability scanning of Docker Containers 


The containers are scanned to check the presence of any vulnerabilities within the 
containers. The Vulnerabilities panel in Container Details provides a list of vulnerabilities 
with Severity along with their QIDs. Select Show Patchable Vulnerabilities to view 
vulnerabilities with available patches. 


< Container Details: 


Vulnerabilities 


Select the severity you would like to review by: 


View Mode 


Summary 


All Rogue 


Container Details Sev5 v Sev4 v Sev3 v Sev2 v Sev1 v Show Patchable Vulnerabilities 


Network 


Services/Users = 
Ne VULNERABILITIES BY SEVERITY 
Associations a 
Vulnerabilities Sev 5 Sev 4 Sev 3 Sev 2 Sev 1 
1-7of 7 
370845 Linux Kernel 'drivers/scsi/libsas/sas... MEM CVE-2018-7757 182 Days = 
9 hours ago 
38510 CA Agent Discloses Exact Operating... MIN 4605 Days a 


9 hours ago 


Good to know 


Drift Containers are those which contain vulnerabilities or software, not found in the 
image from which the container 1s spawned. 


Rogue Vulnerabilities are classified as either New, Fixed or Varied. New are those which 
are newly found on the containers, but were not present in the image from which the 
container is spawned. Fixed, are the vulnerabilities that are not found in the container but 
in the image. Varied, are the vulnerabilities that are found in both Containers and Images 
but the detection varies between them. 


Rogue Software are classified as new or removed. New, software which are found in the 
Container but not in the image from which the container is spawned. Fixed, Software not 
seen in the Container but is present in the parent Image. 


Vulnerability Scanning of Docker Hosts 


Container Security Sensor scans Images and Containers for vulnerabilities, and not the 
actual host machine. You can scan the host via Scanner Appliance or Cloud Agent. 
Configurations required on the host for using the Cloud Agent are independent of the 
Sensor. For example, proxy configuration. 
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Registry Scanning 
Docker host requirements 


Registry Scanning 


Using Qualys Container Security you can scan public and private registries. Public 
registries are cloud accessible registries hosted on Amazon, Azure and Google. While, 
private registries are on premise registries deployed on a private network such as those 
hosted using Artifactory or Nexus. Qualys supports scanning only authenticated 
registries. Note: Currently you can only scan V2 type of registries with Qualys Container 
Security. We support scanning the following registries: 


Public registries: Docker Hub, AWS ECR, Google Cloud Registry (GCR), Google Artifact 
Registry, Azure Container Registry (ACR) 


Private registries: v2-private registry 

- Docker Private Registry: insecure (http), secure (auth + https) 
- Docker Trusted Registry 

- Harbor 

- JFrog Artifactory Private 

- Mirantis Secure Registry (MSR) 2.9.4+ 

- OpenShift Container Registry (OCR) 

- RedHat Quay 

- Sonatype Nexus 


Note: Using http requires customers to manually configure their docker-engine for the 
registry. Qualys does not recommend using http and it's intended more for testing in dev 
environments. For instrumentation support, see Container Runtime Security. 


Docker host requirements 


As a prerequisite, you must install the registry sensor on a docker host (with Docker, 
Containerd or CRI-O Runtime) which has access to the registry to pull images to scan. 


Docker version: 1.12 or later 


Disk space on docker host: Minimum 20 GB of free space on the partition where docker is 
installed. This is required to scan registry images. Additionally, 1 GB of free space is 
required for persistent storage. 


Connectivity 


The registry sensor host should have connectivity to the registry to be scanned. If runtime 
is Docker, you can validate connectivity by performing a successful docker login from the 
host to the registry. If runtime is Containerd or CRI-O, you can validate connectivity by 
trying to pull any image from the registry. 
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Registry Scanning 
How does registry scanning work? 


Docker Runtime: 


docker login <registryurl> (No protocol) 


For Example: 


docker login myregistry.com:5001 


Containerd/CRI-O Runtime: 


crictl pull anyimage from registry 


How does registry scanning work? 


Registry scanning 1s divided into two phases: Listing phase and Scanning phase. 


Listing Phase 


In the Listing phase, the Container Security sensor calls Docker Registry v2 APIs to collect 
all the image metadata information for the repository provided in the registry scan 
schedule. 


Qualys sensor makes catalog, tag, manifest and config API calls to collect information and 
this information is displayed on the UI. Based on the filters defined in the schedule by the 
user (e.g., scan images created in last 14 days), the images are queued for scanning. 


Note - For public registries (cloud accessible), Qualys makes the Docker Registry API calls 
and fetches information to feed the sensors for performing an image scan. In case of 
private registries, as Qualys cannot connect to them, the sensor performs both listing and 
scanning actions and sends information to Qualys. 


Scanning Phase 


Sensors which are provisioned as registry sensors, poll Qualys periodically to see 1f any 
images are queued for scanning. Qualys assigns only a subset of discovered images to the 
sensor for scanning. The response payload includes image details along with 
authentication credentials required to pull image from the registry. 


Qualys Registry Sensor pulls these images from the registry and gathers and pushes the 
information (snapshot) to Qualys Cloud. Qualys then runs signatures on the collected 
information and generates a vulnerability report which can be viewed on the Container 
Security Ul. 


If the repository has a lot of images to scan, the overall scanning time might be longer 
than usual. You can install multiple registry sensors to distribute the scanning payload to 
reduce the scan time and view the results faster. 
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Registry Scanning 
What are the steps? 


What are the steps? 


From the Container Security UI, you'll download the sensor image and deploy the sensor 
as a registry sensor in the network where the sensor can communicate with the registry 
and Qualys. Then, create a new registry and set up a scanning schedule on the repository 
that you need the security posture of. You can perform an on-demand or a scheduled 
scan. As Scheduled scans are incremental, only the new images that are added to the 
configured repository since the last scan will be considered. 


We'll describe these steps in more detail: 
Installing Registry Sensor 

Adding a new registry to scan 

Creating a registry scan schedule 


Viewing vulnerable registry images 


Installing Registry Sensor 


Download the Registry sensor. Go to Configurations > Sensors, click Download Sensor 
and then click Registry. 


You'll need to append registry 


sensor or -r to the sensor install 
. command to install the sensor 
Download and Deploy Qualys Container Sensor : 
© Select the environment where you want to deploy the Qualys Container Sensor and follow the installation for registry Scan . 


instructions 


Sensor now supports ARM architecture 
O Sensor is supported for ARM architecture when downloaded from Docker Hub. Binary installation is not supported 
for ARM architecture. 


@) General (Host) _ ) 


{i sears in 


Adding a new registry to scan 


You must add a registry in order to scan it. Go to Assets > Registries, and click New 
Registry. Make sure the registry sensor deployed on the docker host is in Running state. 


HOME DASHBOARD ASSETS 


Hosts Images Containers Registries 


Q 


| New Registry | 
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Registry Scanning 
Adding a new registry to scan 


In order to perform vulnerability and compliance analysis, you'll need to connect to the 
registries using registry authentication. Different types of authentication are needed to 
connect to different types of registries. 


Registry 


STEPS 1/2 


o Registry Information 


2 Scan Settings 


Registry sensor not found/unknown 


Registry Information 


Name and select type of this registry. If Public, add credentials if needed 


Ensure that registry sensor deployed on the docker host is in running state. 


Select public or 
“ private registry 


type 


Registries can be public or private. Public registries are those 
hosted on cloud providers such as amazon, azure or google. 
Private registries are on-premise such as those hosted using 
artifactory or nexus 


You need different types of credentials to connect to different 
registries. Credential types supported are Token, BasicAuth, 
DockerHub, AWS 


authentication types 
are Token, BasicAuth, 
DockerHub, AWS. 


Note: Token 
authentication is used 
by the sensor host 
while connecting to 
the registry 1f the 
registry supports 
token-based 
authentication. 


For AWS ECR, you can create a connector to connect to your AWS Global or US GovCloud 
account. If you selected a standard AWS region, then pick the Global account type in 
connector details. If you selected a US GovCloud region, then you must pick the US 


GovCloud account type in connector details. 


<— Registry Type: AWS ECR Connector 


Connector Details 


r connector a name and provide a description (option 


O) Global US GovCloud 


Specify cross account ARN 


Copy 


Copy 


Follow steps on the right to create an IAM role in AWS that will give Qualys cross-account access to your AWS resources 
Then enter the Role ARN below. Tip - You'll need the Qualys AWS account ID and external ID to complete the steps 
Qualys AWS Account ID 

External ID 

R ARN 


1. Log in to Amazon Web Services (AWS) Console. 
2. Go to the IAM service. 
3. Go to Roles and click Create Role 
4. Under “Select type of trusted entity” choose Another AWS 
account. Then: 
a. Paste in the Qualys AWS Account ID (from connector 
details) 
b. Select Require external ID and paste in the External ID 
(from connector details) 
c. Click Next: Permissions 
5. Find the policy titled “AmazonEC2ContainerRegistryReadOnly” 
and select the check box next to it. 
6. Enter a role name (e.g. CMS) and click Create role 
7. Click on the role you just created to view details. Copy the Role 
ARN value and paste it into the connector details 
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Registry Scanning 
Creating a registry scan schedule 


For GCR (Google Cloud Registry), you can create a connector to connect to your GCP 


account. 


< Add GCR Connector 


Connector Details 


Give your connector a name and provide a description (optional). 


Name 


Description 


Authentication Details 


Configuration File 


Enable access to some API's in API library 


Create service account and download configuration file 


1. Login to the GCP console and select a project. 


2. From the left sidebar, navigate to IAM & admin > Service 
accounts and click CREATE SERVICE ACCOUNT. Provide a 
name and description (optional) for the service account and 
click CREATE. 


3. Choose Viewer and Security Reviewer role to assign at least 
reader permissions to the service account and click 
CONTINUE. 


4. Click CREATE KEY. Select JSON as Key type and click CREATE. 
A message saying “Private key saved to your computer” is 
displayed and the JSON file is downloaded to your computer. 
Click CLOSE and then click DONE. 


Upload the configuration (JSON) file to complete GCP connector 
creation in Qualys Cloud Platform. 


For ACR (Azure Container Registry), create a connector to connect to your Azure account. 


< Registry Type: Azure Container Registry Connector 


Connector Details 


Give your connector a name and provide a description (optional) 


Name 


Description 


Application ID 


Client Secrets 


Create Application and get Application Id & Client Secret 


Create Application in Azure Active Directory and you can then 
note the Application ID and generate the client secret. 


1. Log on to Microsoft Azure portal, navigate to Azure Active 
Directory then to App Registrations. 


2. Click on New Registration and provide the folowing details: 
a. Name: A name for the application. 
b. Supported account types: Single Tenant and Accounts in 
this organizational directory only. 

3. Click on Register. 

4. Copy the Application (client) ID. 

5. Navigate to the Certificates & secrets on the left panel then 
generate client secret by clicking on New Client Secret, provide 
the following details: 

a. Description: A description of the cleint secret. 
b. Expires: Never. 

c. Click on Add. 

d. Copy the Client secret that is generated. 


Assinging Service Principal 


Creating a registry scan schedule 


After providing registry information, move on to Step 2 to provide scan settings. 


Scan Type 


You can choose to scan immediately (On Demand) or on an on-going basis (Automatic).On 
Demand scan allows you to scan repositories as well as specific images within those 
repositories (use date and tag filters). With Automatic scan, you can scan entire 


repositories at a set time every day. 
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Registry Scanning 
How to cancel a scan 


Repository 


Add one or more repositories to scan. In the Repository field, enter the full repository path 
up to the last sub-directory containing the images you want to scan. Tip: The following 
command helps you to get a list of full repository names that are part of a registry. 


CULL =u «username»: <pas.sword> hetps:/7/<reqistry—-url>/v27- catalog 


Notes: 


- For Google Cloud Registry, the repository name should not include location information 
since you already provided the location under registry information. For example, the 
repository name should be: project-Id/repository-name 


- For Google Artifact Registry, only the repository name is needed. We'll auto populate the 
full path. 


Using Filters 


When the scan type is On Demand, you Il see the By Date and By Tags filters that allow 
you to select specific images within the repository to scan. 


By Date - Filter the list of images based on when the image was created. Select one of the 
options on the Created Date menu for the number of days, weeks or months ago the 
image was created. 


By Tags - Filter the list of images to scan within the repository by selecting tags assigned 
to those images. Enter a single tag name and click Add. Then enter another tag name and 
click Add, and so on. 


Using JFrog Artifactory Private registry? In this case you'll need to select images by tag 
name. You can further filter images by the image pushed date. 


Pushed Date - This option allows you to filter the images to be scanned based on when 
each image was pushed into the repository being scanned. Choose “All” to scan all images 
pushed into the repository regardless of the pushed date or “Custom Days” to only scan 
images pushed into the repository a set number of days ago that you specify. 


Scan Start Time 


When the scan type is Automatic, you ll need to select the time of day when you want the 
scan to start. The scan will start everyday at the selected time. 


How to cancel a scan 


You can cancel an ongoing scan by editing the registry and then using the Cancel option 
from the Quick Actions menu of a scan job. You cannot cancel jobs which are in “Error” or 
“Finished” state. 
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Registry Scanning 
How to restart a scan 


How to restart a scan 


Use the Rescan option to restart an On Demand scan. You cannot restart scan jobs that 
are in “Queued’ or “Running” state. 


Viewing vulnerable registry images 


Once you connect to the registry, Container Security pulls the inventory data and 
performs scans on repositories and images within the registries. Images are listed on the 
Assets > Images tab. 


Container Security HOME DASHBOARD ASSETS REPORTS CONFIGURATIONS 20 i 
Assets osts 
Total Images 2 61 0 1 8 
| Images detected without CS Sensor Images with Sev 5, 4 Vulnerabilities Docker Hub Official Images Images not Compliant 
REGISTRY 1-50 of 96 
registry-1.docker. 36 
docker.io 33 
cmsapline01.azu 13 | 
~ 
62990800442 i on 
el = registry-1.docker.io image_1 Mar 15, 2021 | registrycheck Jat... 0 182 = 
PEELE = Image Id: 4b72a9a397b0 ae =u | 
3 more On Hosts: 0 | 
| 
registry-1.docker.io image_2 Mar 15, 2021 | distrolessjava-8... 0 - 
VULNERABILITIES O 0 
Image Id: f7bf6194d019 lost 
Severity 54 po 
Severity 4 55 docker.io image_abc Mar 15, 2021 | latest 1 213 2 
Severity 3 61 Image Id: be249b1cce35 i a nil = 
7 On Hosts: 1 
Se ity 50 
Severity 1 s2 docker.io image_xyz Mar 15, 2021 | latest 1 4 2 
Image Id: 468de78f8e88 te ; —— = 
On Hosts 
COMPLIANCE POSTURE 
FAIL 18 registry-1.docker.io my_image Mar 14, 2021 l distroless-java11... 0 - - 
Image Id: 3e8e8af135a0 
Y 


To get the total count of vulnerable images in a registry, go to Assets > Registries tab, and 
choose View Details from the Quick Actions menu for any registry. You'll see basic 
information like total repositories, total images and total vulnerable images. You Il also 
see a list of scan schedules created for scanning the registry. 
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Vulnerability Reporting 
Greate Reports 


Vulnerability Reporting 


Create customizable QQL query driven on-demand report jobs. Reports are driven by 
reporting templates. Currently we support vulnerability report templates for Images and 
Containers. Reporting workflows can be performed from the “Reports” tab in the 
Container Security Ul. 


These vulnerability report templates are available: 
- Image Vulnerability Report 


- Container Vulnerability Report 


Image Vulnerability Report 


For each row in the report, you'll see image details (e.g. Repository, Image ID, SHA, etc) 
followed by vulnerability details (e.g. QID, Title, Severity, etc) for a single detected 
vulnerability. If the image has multiple vulnerabilities it will be listed multiple times (e.g. 
10 rows for 10 vulnerabilities on the same image). 


Container Vulnerability Report 


For each row in the report, you'll see container details (e.g. Container Name, Container ID, 
Host Name, etc) followed by vulnerability details (e.g. QID, Title, Severity, etc) for a single 
detected vulnerability. If the container has multiple vulnerabilities it will be listed 
multiple times (e.g. 10 rows for 10 vulnerabilities on the same container). 


Create Reports 


Go to the Reports section (on the top menu) and click the Create Report button. 


Container Security HOME DASHBOARD ASSETS REPORTS CONFIGURATIONS 2.0: 


Reports 


3/7 reate Repor 1-37 of 37 


Total Reports 


Image report Completed csv July 8, 2020 Image Vulnerability ON DEMAND 


Container Report Completed csv July 8, 2020 Container Vulnerability ON DEMAND 


Walk through the Create New Report wizard. In the Report Details section, give your 
report a name and description. In the Report Source section, choose the report template 
for the type of report you want to create: Image Vulnerability or Container Vulnerability. 


You may choose to add a search query to limit the report to certain images/containers. For 
an Image Vulnerability report, only the images that match your query will be included. For 
a Container Vulnerability report, only the containers that match your query will be 
included. 
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Vulnerability Reporting 
View & Download Reports 


The Report Display page section shows you the types of details that can be included in the 
report. Simply select the check box next to each detail you want to include in the report. 
Your selections determine which columns appear in the CSV output. Note that certain 
details are selected by default and cannot be unchecked. Want to include all details? Pick 
the “select All” option and all details will be included. 


Click Next again to review the Report Summary and click Submit to generate your report 
Job. Once saved, the report job cannot be edited. 


Your report job will appear on the reports list with a status of Accepted . The status will 
change to Completed once the report is done and ready to download. 


View & Download Reports 


Choose Download from the Quick Actions menu for a completed report. The CSV report 
will be saved to your local downloads area. (Tip - Use the Search field above the reports list 
to quickly find a report using the search token reportName.) 


Container Security HOME DASHBOARD ASSETS REPORTS CONFIGURATIONS 


Q Search... 


37 = | Actions (1) "| | Create Report 1-37 of 37 


Total Reports 


Ime Completed July 8, 2020 Image Vulnerability ON DEMAND 
Quick Actions V 


Cor Delete Completed v July 8, 2020 Container Vulnerability ON DEMAND 


Download 
@a — Completed July 7, 2020 Image Vulnerability ON DEMAND 


Delete Reports 


To delete a single report, choose Delete from the Quick Actions menu, as shown below. To 
delete multiple reports in bulk, select each row for the reports you want to delete and 
choose Actions > Delete above the reports list. 


Container Security HOME DASHBOARD ASSETS REPORTS CONFIGURATIONS 


Reports 


Q Search... 


3/ -= | Actions (1) "| | Create Report 1-37 of 37 


Total Reports 


Ime Completed July 8, 2020 Image Vulnerability ON DEMAND 
Quick Actions V 


CE) Completed v July 8, 2020 Container Vulnerability ON DEMAND 


Download 
@a Completed v July 7, 2020 Image Vulnerability ON DEMAND 
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Compliance Scanning 
View compliance information 


Compliance Scanning 


Qualys supports compliance scanning/assessments of running containers and images. 
Perform Policy Compliance (PC) checks and configuration assessments on your running 
containers and images. We support a subset of controls from CIS Docker benchmarks, 
which are applicable to running containers and container images. Customers can assess 
configuration risks in their running containers and images and remediate them 
accordingly based on the Qualys findings. 


Prerequisites 


Upgrade your sensors to the latest version. Compliance Scanning support was added for 
General and CI/CD sensor mode in Container Security Sensor version 1.7.0 and added for 
Registry mode in Container Security Sensor version 1.9.0. 


How it works 


The updated Qualys Container Sensor runs an additional scan of configurations in 
containers, images and uploads additional scan metadata to the Qualys backend. Based 
on the scan metadata, the backend performs an assessment against various industry 
standard benchmarks and controls for compliance assessment. The compliance scans of 
containers, images will be transparent to customers and will function in a similar real- 
time cloud native manner like the vulnerability scanning feature. The configuration scan 
results will be available in the UI and the API. In the UI, view Image and Container details 
to get compliance posture (PASS or FAIL) and control information. 


View compliance information 


You'll see compliance information in the UI for your images and containers. On the 
Images list and Containers list, you'll see a column called Compliance with the number of 
controls that have a posture of PASS and FAIL. Here’s a sample list of containers: 


Container Security HOME DASHBOARD ASSETS REPORTS CONFIGURATIONS 2 ei 


Assets 


Total Containers 1 9 0 1 À 1 6 
Root Containers Privileged Containers Containers detected without CS Sensor Containers in Drift Containers not Compliant 
VULNERABILITIES 1-24 of 24 
Severity 5 15 
1 
16 
11 - Mar 15, 2021 - RUNNING - - 
5 er Id: 6b0add73afef 2 days ago 
Severity 1 14 
container_1 Mar 14, 2021 dockercent RUNNING 8 hours ago 212 
STATE Container Id: e0a288061bbf 0.115.98.192 2 days ago [=o 
RUNNING 23 . AA p 
[=n - container_2 Mar 14, 2021 dockercent RUNNING 8 hours ago 212 + 
J Container Id: 1f40cd3725f4 0.115.98.192 2 days ago zal == 
DRIFT container_3 Mar 14, 2021 ip-10-82-9-192 RUNNING 3 days ago 4 
VE 4 Container Id: 98f84e250fdt 0.82.9.192 3 days ago o | 
container_abc Mar 12, 2021 ip-10-82-9-192 RUNNING 3 days ago À 
PRIVILEGED Container Id: 9f0979eca794 0.82.9.19 5 days ago O | 
false 19 7; 
container_xyz Mar 12, 2021 ip-10-82-9-192 RUNNING 3 days ago 4 
Container Id: 0202e3d22215 0.82.9.192 3 days ago a 
my_container Mar 12, 2021 ip-10-82-9-192 RUNNING 3 days ago 213 | 
Container Id: 3e762442295f 0.82.9.192 5 days ag | a 
sample_container Feb 24, 2021 localhost.localdomain RUNNING 20 days ago l 
Container Id: 6f0c4c5bd265 0.115.119.175 21 days ago 
sample2_container Feb 24, 2021 localhost.localdomain RUNNING 20 days ago 
Container Id: e7debdeed7ac 0.115.119.175 21 days ago 
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Compliance Scanning 
View compliance information 


Easily search images and containers by control ID, control criticality (MINIMAL, MEDIUM, 
SERIOUS, CRITICAL, URGENT) and control posture (PASS, FAIL). 


Container Security ~ HOME DASHBOARD ASSETS REPORTS CONFIGURATIONS 


Assets osts FRE Containers TU 


Ci 
2. 4 controls.controlld E 


yntax Help 
controls.criticality controls.controlld 
controls.posture Use a text value ##### to find controls by control ID. 
Example 


Show containers with this control 1D 


Total Containers 


controls.controlld: 10826 


Mar 16, 2021 RUNNING 


Drill down into the details for any image or container to see compliance information, 
including the list of controls that were scanned with control details (CID, criticality, 
statement, category, technologies). 


< View Details: container_abc 


View Mode g 
Compliance Summary 


Summary 
Container Details 
Network 


Services/Users 


Installed Software 


= Status of the network ports set for the Docker containers on the host systen 
Associations 


Vulnerabilities 
Status of the memory usage limitation for the Docker containers on the host 


Compliance 


Status of the Docker containers health status 


Status of the 'cap-drop' flag settings on Docker containers on the host syste! 


Status of the SSH server for the Docker containers on the host system 


Status of the mount propagation mode setting on Docker containers on the 


Status of the 'no-new-privileges' security option set for the Docker container: 


Drill down into the details for any control to get control details, including the control 
category, policy and technologies. 


< Control Details 


VIEW MODE Container Details 
Control Summary 
Name: container_abc 
General | Information 
Container Id: 9f0979eca794 
Technologies Included Status of the 'cap-drop' flag settings on Docker containers on the host system 


| Id: 
CID: 10808 | Status: PASS | Criticality: JJ Critical | Last Evaluated: 3 days ago dad 571929849695 


State: RUNNING 


Last Compliance... : 3 days ago 
Control Details 


Category: Access Control Requirements 


Sub Category: Authorization (Single-user ACL/role) 


Deprecated: No 


Policy: CIS Benchmark 


Data Points 


dockersensor00.container.capdrop: 161803399999999 


Compliance information can also be fetched using Compliance APIs. You can fetch 
compliance posture for an image or container, fetch control details, or fetch a list of 
controls. See the Compliance section of the Qualys Container Security API Guide. 
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Administration 


For information on sensor installation and troubleshooting, refer to the Qualys Container 
Security Sensor Deployment Guide. 


Sensor updates 


Go to Configurations > Sensors to see a list of sensors. Use the search and filter options to 
search for sensors. See the online help for a list of QQL search tokens. 


When a newer sensor version is available than the one deployed, you'll see Update 
Avallable” next to the sensor name. You should update the sensor to the newer version to 
take advantage of new features, bug fixes and to remediate vulnerabilities. 


bo 
© 
K 


Container Security HOME DASHBOARD ASSETS REPORTS CONFIGURATIONS 


Configurations Sensors MCE 


Q 


4 


Total Sensors 
Unknown ($) f5434a5e4577 1.3.1-10 cent731611-76-11 
VERSION 8 days ago qualys-container-sensor 10.115.76.116 
1.3.1-10 3 Created On: Aug 20, 2019 
1.3.0-29 1 (ra i 
Unknown wy A 095ac35988d0 1.3.0-29 pci51.r .qualys.com 


9 days ago qualys-container-sensor À Update Available 10.115.77.151 


Created On: Aug 13, 2019 


For sensors downloaded from the Qualys Ul 


Sensors deployed on docker with the installsensor.sh script or docker run command will 
be updated automatically (unless the --disable-auto-update option was used for the 
install script). Sensors are not updated automatically for Kubernetes deployments. Refer 
to “Update the sensor deployed in Kubernetes” in the Qualys Container Security Sensor 
Deployment Guide for instructions. 


For sensors installed from Docker Hub 


The Qualys Container Sensor image hosted on Docker Hub does not support auto update. 
See “Upgrading the sensor” in the section “Installing the sensor from Docker Hub” in the 
Qualys Container Security Sensor Deployment Guide for instructions. 
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How to uninstall sensor 


The QualysContainerSensor.tar.xz file (which you download for sensor installation from 
Qualys Cloud Platform) has the script uninstallsensor.sh for uninstalling the sensor. 


To uninstall a sensor: 


If the docker host 1s configured to communicate over docker.sock, use the folowing 
command: 


¿f/uninstallsensor.sh =s 


If the docker host is configured to communicate over TCP socket, then provide the address 
on which the docker daemon is configured to listen: 


./uninstallsensor.sh DockerHost=<<IPv4 address or FODN>:<Port#>> -s 


Example: 
fuñainstallsensor.sh Docker tost= 0 cli T2", 1331734. = 


Follow the on-screen prompts to uninstall the sensor. Qualys recommends not to clear the 
persistent storage. 
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